1. Field of the Invention
The present invention generally relates to compliance with corporate governance and business requirements. More particularly, embodiments of the present invention relate to the measurement, assessment, and computation of risks associated with compliance with corporate governance and business requirements for organizations, companies, and business enterprises.
2. Background Art
In today's highly regulated business environment, companies have to comply with various external regulations, laws, and mandates, such as the Sarbanes-Oxley Act, which requires companies to implement business controls to ensure proper financial reporting processes. In addition, many companies have implemented internal business policies and standards based on industry standards and “best practices,” such as ISO:27001, which provides companies with a framework to implement information security processes. It is important for companies to be able to measure and assess their compliance with such external and internal business requirements.
One process for assessing compliance with such business requirements is to first categorize compliance-related information into three components: (1) References—for external regulations and internal business requirements; (2) Standards—for internal policies and standards to meet such regulations and business requirements; and (3) Controls—which are specific actions or implementations to meet such Standards.
Next, References that are relevant to the business are identified and collected. References, which are business requirements, can come from many sources. For example, regulatory requirements are placed on businesses through legislative and industry regulations. Internal requirements in the form of service level agreements and business partner agreements define specific targets and objectives for businesses. Industry “best practices” and frameworks provide further recommended requirements and procedures for many businesses. The sum of all of these requirements defines the overall business and risk objectives of an organization, which are documented in References.
Standards, which are internal policies and standards for addressing such References, are established and mapped to References. Specifically, policies and standards are formulated and established to meet the desired References. Each company has its own set of policies and standards to meet regulations and business requirements.
Controls for meeting Standards are documented and mapped to Standards. There are many different types of Controls, depending on whether the Controls are for business processes, technology, or people/roles within the organization. Controls are the particular actions, procedures, or implementations necessary to address the Standards associated with the resources or assets.
Once Controls are defined and put in place, they are tested and the results are collected to determine the state of compliance. Controls can be tested manually, in the form of a questionnaire or survey, or automatically, using various hardware devices and software applications. However, merely testing Controls does not fully assess the state of compliance. While individual Controls may have a “pass” or “fail” response or an “on” or “off” status, the overall status of the Controls, by themselves, is not sufficient to quantify the “risks” associated with the non-compliance of business requirements. Risk as used herein refers to the gap between compliance of certain business requirements and the actual state of the controls and standards that are implemented to meet such requirements. In other words, risk, from a compliance standpoint, is the gap, or residual, between the desired state of compliance and the actual state of compliance. It is important for businesses to identify, measure, and assess the amount of residual risk that exists in their corporate compliance programs.
Furthermore, users need to be able to “weigh in” on the importance of various References, Standards, and Controls in determining the risks associated with compliance in their business environment.
Therefore, there is a need for a risk assessment system that can measure and assess the state of compliance and quantify the risks associated with compliance with business requirements.